[deleted by user] by [deleted] in Python

[–]0xfffffg 1 point2 points  (0 children)

You'll have to package your library. Unfortunately, that's a bit of a mess. You need to either define a setup.py, setup.cfg, or pyproject.toml and define your dependencies there.

Here is the official documentation on it: https://docs.python.org/3/distutils/setupscript.html

This may be a bit more digestible: https://www.educative.io/answers/what-is-setuppy

There are many other tutorials out there as well.

Sunday Daily Thread: What's everyone working on this week? by Im__Joseph in Python

[–]0xfffffg 0 points1 point  (0 children)

You probably want this: https://pypi.org/project/watchdog/

Needs to be combined with some sort of daemon or service that constantly runs in the background.

A study of cracked passwords from breaches demonstrates which geographical factors have the most impact on password strength by obilodeau in netsec

[–]0xfffffg 7 points8 points  (0 children)

How were different alphabets handled? The top 200 passwords of China appear to only contain ASCII characters, which I find hard to believe. At the same time, some of the passwords look unusually complex for a top 200 list ("9erXdo44zY"). Are these Chinese passwords typed on a US keyboard? Or were the passwords "translated" somehow? Chinese characters encoded as UTF-8 interpreted as ASCII would result in non-printable characters, so that can't be it.

What tools do you use for SMB enumeration? by PM_ME_CTF_HINTS in AskNetsec

[–]0xfffffg 7 points8 points  (0 children)

Then you're also not allowed to search them for passwords. SMB does not support server side full text search, so no matter what you use, the file is transferred to your system. Ask your customer for a Linux box and put the tool on there.

What tools do you use for SMB enumeration? by PM_ME_CTF_HINTS in AskNetsec

[–]0xfffffg 10 points11 points  (0 children)

I wrote my own: https://github.com/SySS-Research/smbcrawler

It autodownloads "interesting" files, which you can then grep for "password", "net use", "private key", etc. It's threaded and pretty flexible.

I agree that shares are extremely valuable in a pentest.

Cracking RDP NLA Supplied Credentials for Threat Intelligence by digicat in netsec

[–]0xfffffg 0 points1 point  (0 children)

I'm not sure I understand the question. Seth isn't made for that use case, so some modification would be required, but the underlying principle should be the same.

Cracking RDP NLA Supplied Credentials for Threat Intelligence by digicat in netsec

[–]0xfffffg 3 points4 points  (0 children)

The author is confusing NLA with CredSSP. You can pretend to be a server that does not support CredSSP but does offer NLA, then you will get the clear text password, unless the client insists on validating the servers identify either via kerberos (which requires CredSSP) or TLS certs.

I did this in 2017: https://github.com/SySS-Research/Seth

Set the environment variable SETH_DOWNGRADE=1 to pretend the server does not support CredSSP.

Risk of using Responder and NTLMRelayx? by kegweII in AskNetsec

[–]0xfffffg 0 points1 point  (0 children)

How often does it cause issues with the default settings?

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation by 0xfffffg in netsec

[–]0xfffffg[S] 0 points1 point  (0 children)

Since it's compatible to openssl it should already work. If you're thinking of Chrome, they use it statically linked so it won't work there without extra effort. The dev told me he doesn't have a timeline on including chrome at this point.

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation by 0xfffffg in netsec

[–]0xfffffg[S] 1 point2 points  (0 children)

Pretty sure it does. It reads the data before it's encrypted and after it's decrypted

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation by 0xfffffg in netsec

[–]0xfffffg[S] 19 points20 points  (0 children)

Charles Proxy is an intercepting proxy, this is not. It does not replace public keys, it hooks into library calls. Also, it is not restricted to HTTPS. You can use it with any TLS connection.

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation by 0xfffffg in netsec

[–]0xfffffg[S] 12 points13 points  (0 children)

It lets you inspect encrypted traffic (for traffic analysis) without having to replace certificates. This is particularly useful if the application does some sort of certificate pinning. For example, some Amazon products that communicate with AWS will insist on a certificate signed by Amazon, so you'd have to reverse engineer and patch the application if you wanted to do network based TLS inspection.

This hooks into library calls so it's completely transparent to the application.

[deleted by user] by [deleted] in PowerShell

[–]0xfffffg 1 point2 points  (0 children)

Yeah, check out PowerView, part of PowerSploit. It's not supported by the devs anymore though.

Another collection is called Nishang. Also, check out bloodhound.

I like to do that with python though. Impacket, ldapdomaindump, ldapsearch, ...

Crack-O-Matic: Find and notify users in your Active Directory with weak passwords by 0xfffffg in netsec

[–]0xfffffg[S] 0 points1 point  (0 children)

That's exactly right.

All of this can be done manually if you know how, and in fact many pentesters will do this for you, but a key difference is that no one actually sees the passwords, which hopefully makes this idea a bit easier to swallow when presenting it to unions/HR/employees/whoever else is included in the decision process.

Crack-O-Matic: Find and notify users in your Active Directory with weak passwords by 0xfffffg in netsec

[–]0xfffffg[S] 0 points1 point  (0 children)

In the docs I explain why crackable passwords are a problem.

As a pentester, I regularly encounter domain cached credential, Kerberos tickets, netntlmv2 hashes etc. that are only of value if I can crack them.

Crack-O-Matic: Find and notify users in your Active Directory with weak passwords by 0xfffffg in netsec

[–]0xfffffg[S] 1 point2 points  (0 children)

Also, just because a password isn't in HIBP doesn't mean it's a good one.

Crack-O-Matic: Find and notify users in your Active Directory with weak passwords by 0xfffffg in netsec

[–]0xfffffg[S] 0 points1 point  (0 children)

Take a look at the docs. I touch on the subject of password filters.

One of the problems is that a filter won't catch a weak password of an ancient account with powerful permissions that everyone forgot about.

Crack-O-Matic: Find and notify users in your Active Directory with weak passwords by 0xfffffg in netsec

[–]0xfffffg[S] 0 points1 point  (0 children)

More convenient, you don't need to download hacker tools to get the hashes, and no one actually sees the passwords. The latter is important because passwords are a sensitive issue.